DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting

Browser fingerprinting aims to identify users or their devices, through scripts that execute in the users’ browser and collect information on software or hardware characteristics. It is used to track users or as an additional means of identification to improve security. Fingerprinting techniques have one significant limitation: they are unable to track individual users for an extended duration. This happens because browser fingerprints evolve over time, and these evolutions ultimately cause a fingerprint to be confused with those from other devices sharing similar hardware and software. In this paper, we report on a new technique that can significantly extend the tracking time of fingerprint-based tracking methods. Our technique, which we call DRAWNAPART, is a new GPU fingerprinting technique that identifies a device from the unique properties of its GPU stack. Specifically, we show that variations in speed among the multiple execution units that comprise a GPU can serve as a reliable and robust device signature, which can be collected using unprivileged JavaScript. We investigate the accuracy of DRAWNAPART under two scenarios. In the first scenario, our controlled experiments confirm that the technique is effective in distinguishing devices with similar hardware and software configurations, even when they are considered identical by current state-of-the-art fingerprinting algorithms. In the second scenario, we integrate a one-shot learning version of our technique into a state-of-the-art browser fingerprint tracking algorithm. We verify our technique through a large-scale experiment involving data collected from over 2,500 crowd-sourced devices over a period of several months and show it provides a boost of up to 67% to the median tracking duration, compared to the state-of-the-art method. DRAWNAPART makes two contributions to the state of the art in browser fingerprinting. On the conceptual front, it is the first work that explores the manufacturing differences between *Both authors are considered co-first authors. identical GPUs and the first to exploit these differences in a privacy context. On the practical front, it demonstrates a robust technique for distinguishing between machines with identical hardware and software configurations, a technique that delivers practical accuracy gains in a realistic setting.

[1]  Ningfei Wang,et al.  Rendered Private: Making GLSL Execution Uniform to Prevent WebGL-based Browser Fingerprinting , 2019, USENIX Security Symposium.

[2]  Stjepan Picek,et al.  Challenges in Deep Learning-Based Profiled Side-Channel Analysis , 2019, SPACE.

[3]  Gildas Avoine,et al.  Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting , 2019, DIMVA.

[4]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Yuval Yarom,et al.  Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses , 2021, USENIX Security Symposium.

[6]  Pierre Laperdrix,et al.  SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers , 2021, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[8]  Xavier Blanc,et al.  FP-Crawlers: Studying the Resilience of Browser Fingerprinting to Block Crawlers , 2020, Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web.

[9]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[10]  Srinivas Devadas,et al.  Security Based on Physical Unclonability and Disorder , 2012 .

[11]  Mohamed R. Amer,et al.  Chameleons' Oblivion: Complex-Valued Deep Neural Networks for Protocol-Agnostic RF Device Fingerprinting , 2020, 2020 IEEE European Symposium on Security and Privacy (EuroS&P).

[12]  Gabi Nakibly,et al.  Hardware Fingerprinting Using HTML5 , 2015, ArXiv.

[13]  Preston Bukaty The California Consumer Privacy Act (CCPA) , 2019 .

[14]  Wenyuan Xu,et al.  AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable , 2014, NDSS.

[15]  Andy Liaw,et al.  Classification and Regression by randomForest , 2007 .

[16]  Daniel E. Holcomb,et al.  Power-Up SRAM State as an Identifying Fingerprint and Source of True Random Numbers , 2009, IEEE Transactions on Computers.

[17]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[18]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[19]  Elie Bursztein,et al.  Picasso: Lightweight Device Class Fingerprinting for Web Clients , 2016, SPSM@CCS.

[20]  Arnaud Legout,et al.  Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels , 2020, Proc. Priv. Enhancing Technol..

[21]  Dimitrios Koutsonikolas,et al.  ABC: Enabling Smartphone Authentication with Built-in Camera , 2018, NDSS.

[22]  Samuel Kounev,et al.  Variations in CPU Power Consumption , 2016, ICPE.

[23]  Xiangyu Liu,et al.  Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound , 2014, CCS.

[24]  Marten van Dijk,et al.  A technique to build a secret key in integrated circuits for identification and authentication applications , 2004, 2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525).

[25]  Stefan Mangard,et al.  Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript , 2017, Financial Cryptography.

[26]  Romain Rouvoy,et al.  Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies , 2018, USENIX Security Symposium.

[27]  J. Murphy The General Data Protection Regulation (GDPR) , 2018, Irish medical journal.

[28]  Gabi Nakibly,et al.  Mobile Device Identification via Sensor Fingerprinting , 2014, ArXiv.

[29]  Srinivas Devadas,et al.  Physical Unclonable Functions and Applications: A Tutorial , 2014, Proceedings of the IEEE.

[30]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[31]  Gianmarco Baldini,et al.  Smartphones Identification Through the Built-In Microphones With Convolutional Neural Network , 2019, IEEE Access.

[32]  Anupam Das,et al.  Poster : Fingerprinting Smartphones Through Speaker , 2014 .

[33]  Davide Cozzolino,et al.  Noiseprint: A CNN-Based Camera Model Fingerprint , 2018, IEEE Transactions on Information Forensics and Security.

[34]  Nikita Borisov,et al.  The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors , 2018, CCS.

[35]  Chris Kanich,et al.  Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security , 2017, CCS.

[36]  E. Kaseda,et al.  Brave , 2020, The Translator of Desires.

[37]  Nikita Borisov,et al.  Every Move You Make: Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures , 2018, Proc. Priv. Enhancing Technol..

[38]  University of California,et al.  Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[39]  Davide Balzarotti,et al.  Clock Around the Clock: Time-Based Device Fingerprinting , 2018, CCS.

[40]  Daniel E. Holcomb,et al.  Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags , 2007 .

[41]  Herbert Bos,et al.  Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[42]  Tolga Arul,et al.  Intrinsic Run-Time Row Hammer PUFs: Leveraging the Row Hammer Effect for Run-Time Cryptography and Improved Security † , 2018, Cryptogr..

[43]  Romain Rouvoy,et al.  FP-STALKER: Tracking Browser Fingerprint Evolutions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[44]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[45]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[46]  Edward W. Felten,et al.  Breaking assumptions: distinguishing between seemingly identical items using cheap sensors , 2012 .

[47]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[48]  James Philbin,et al.  FaceNet: A unified embedding for face recognition and clustering , 2015, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[49]  Miriam Whaples,et al.  Opera , 1969 .

[50]  Stratis Ioannidis,et al.  Exposing the Fingerprint: Dissecting the Impact of the Wireless Channel on Radio Fingerprinting , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications.

[51]  Hugo L. Jonker,et al.  Fingerprint Surface-Based Detection of Web Bot Detectors , 2019, ESORICS.

[52]  Alastair R. Beresford,et al.  SensorID: Sensor Calibration Fingerprinting for Smartphones , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[53]  Paul C. van Oorschot,et al.  Device fingerprinting for augmenting web authentication: classification and analysis of methods , 2016, ACSAC.

[54]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[55]  Benoit Baudry,et al.  Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale , 2018, WWW.

[56]  Romain Rouvoy,et al.  FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security , 2021, DIMVA.

[57]  Nikita Borisov,et al.  Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components , 2014, CCS.

[58]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).